[time] What to do about abuse

Jeffrey Goldberg jeffrey
Wed Feb 28 16:34:04 UTC 2007

On Feb 28, 2007, at 7:23 AM, Tim Shoppa wrote:

> On Mon, 26 Feb 2007, Jeffrey Goldberg wrote:
>> Well, I'm absolutely flabbergasted by the abusive clients.  I'd like
>> some understanding of what's behind it and what people do about it.
>> It don't see anything to gain by being deliberately abuse.  You don't
>> gain anything by sending out a request 5 times per second.
> While that's an exceptionally stupid client, I myself have
> only seen that kind of abuse when I started to try
> blocking abuse.

As it turned out in this case there were hundreds of clients behind  
an IP address.  And as it turned out reporting the incident to the  
abuse desk of the provider produced the right results.

It certainly happened before I did any blocking.  Likewise I've had  
this going on for the last seven hours.

Clients with rapid updates (min requests of 100):
Rank    First Seen         Client IP     Requests    Rate    Usage   
   1  02/28/07 03:00:53      61111     0.46  26.93%   
26.93% * !

And I haven't done any blocking.

>> And what do people do about them.  I can manually block those clients
>> at my firewall.
> My discovery was that with some classes of clients that will ask
> once every second, if you stop replying then they'll pick up their
> query rate by a factor of 5 in some cases. Whether this hurts
> your bandwidth or your provider's depends on where the firewall
> is but I'd guess that most of us who don't work for an ISP can
> only block traffic after it comes down the wires rather than before.

This is a good point, but if I block by DROPping requests, I at least  
cut my outbound bandwidth.

> There was a different class of client that would normally try
> once every 15 or 30 or 60 seconds, but if I didn't respond they
> started querying every single second.

This is very good to know.  But I'm not really tempted to block the  
ones that are querying every 16s.  I'm more  concerned about the  
extreme ones like listed above.

> Most people who install these stupid NTP clients genuinely
> don't know how poorly behaved the client is. Some (see list
> messages here from a few years back) defend their client
> behavior when it asks more often when it doesn't get good
> time back. Not a traffic-friendly attitude but a very self-
> centered attitude.

That is scary.


Jeffrey Goldberg                        http://www.goldmark.org/jeff/

More information about the pool mailing list